RE: No site security concerns in real life

RE: No site security concerns in real life (Full Version)

All Forums >> [Casual Banter] >> Off the Grid

Message

crumpets -> RE: No site security concerns in real life (1/24/2016 10:08:29 PM)
Like I said quite a few times, there are people who don't feel they need any protection, and there are people who do. It's just like having sex with a condom, or not. You're protecting more than yourself. Some feel they need encryption; others feel they don't. However, many may not inherently realize that encryption protects your PARTNER (and your future partners). Encryption is the condom in the metaphor above. To illustrate the point of how encryption is protection, allow me to post screenshots of a test I ran at a local Starbucks earlier today. Please be advised that every single computer-saavy person on this planet knows how to do what I did below, which is to put their WiFi NIC into promiscuous mode so that it eavesdrops on ALL wifi communications that it can receive, and logs them using freeware, and then displays the intricate details of every single packet, using a freeware GUI that allows for easy searches for any desired keyword or domain. For example, here's what the login into collarspace looked like using wireshark freeware after running tcpdump freeware to capture the pcap file as seen by my laptop's wifi NIC set to promiscuous mode. [image]https://i.imgur.com/2tLFyYW.gif[/image] Notice that the login is "aaaaaa" and the password of "bbbbbb" easily show up in cleartext for the collarspace domain and IP address login. Here's that same login into collarspace , using basic run-of-the-mill freeware encryption: [image]https://i.imgur.com/WayaWoV.gif[/image] Notice in this second (encrypted) setup, you can't see the fact that I went to collarspace, and you can't see anything but gibberish for the login and password. Note: Nothing fancy was used here to capture every packet in the building and to search those packets for keywords, and then to display all that login information. This is very simple stuff that has long been freely available to every computer-saavy person in the world. It takes no skill whatsoever to capture your logins and passwords on https unencrypted web sites.

furneaux -> RE: No site security concerns in real life (1/25/2016 1:36:00 AM)
Crumpets - it's laudable you have bothered to make an effort to explain. I couldn't be bothered after getting insults from the pig ignorant residentmuppet etc. It is funny to be told I don't know anything about the subject (it's my job) by shoutypants like him. Bless. I suspect you're wasting your time though. Hopefully some sensible people will take something from it. I've deleted my account (although this board, which took my credentials - no doubt in plain text form - remains active. slow clap)

freedomdwarf1 -> RE: No site security concerns in real life (1/25/2016 1:44:14 AM)
quote: ORIGINAL: crumpets Do you really THINK for a moment that I have EVER logged into this site without the protection of ENCRYPTION? NOTE: Encryption such as VPN or TOR are not perfect; but they're the best we can do since the administrators are so lax about basic privacy and security. You're utterly CRAZY if you log into this site WITHOUT encryption! I'm fine, since "I" use encryption. I'm trying to help the OTHERs who don't know what I know about eavesdropping on someone's cleartext communications. I'd also like to know HOW you folks who say you can meet up with people without giving them ANY personal information do it. And yet... you use Wifi that can be "sniffed" direct from source that bypasses EVERY security measure you put in place!! Might as well broadcast it on a giant 500" hi-res screen from the top of your house. [8\|] Stupid. Just soooo stupid! You meet up with people by passing personal info OFF site. How easy is that?? quote: ORIGINAL: crumpets You missed one key point. If you sat next to me at Starbucks, and you logged into collarspace and I logged into fetlife, then I'd have your password, but you would not have mine. Likewise, if we switched places, since I use encryption on Collarspace, if I logged into Collarspace, and you logged into Fetlife, you'd STILL not have my password on either site, while I'd still only have yours for Collarspace. That is a very important technical distinction. FALSE!!! You are on WiFi which is open for EVERYONE to look at. Anyone within 300 yards "sniffing" will get BOTH of your logins for BOTH sites. quote: ORIGINAL: crumpets THIS IS THE MOST IMPORTANT HELPFUL HINT OF ALL! Do not log into this site without adding encryption! Again... FALSE!! Don't use Wifi!! So instead of bleating about site security, hows about using some security for your connection to the internet?

Lucylastic -> RE: No site security concerns in real life (1/25/2016 2:18:55 AM)
I wasnt implying anything.

LadyPact -> RE: No site security concerns in real life (1/25/2016 3:18:48 AM)
quote: ORIGINAL: crumpets I doubt I have ever once given Collarspace or Fetlife my real email, so, um, what are they gonna do with [email protected] ? I'm not talking about the email you entered when you signed up for the site. I'm talking about the email that you send and receive through this site. Different thing. quote: In order to make sense to each other, we must strive to SEPARATE wholly different issues: 1. Any real information in the public profile (e.g., your real birthdate or full name or zip code) 2. Any real information in the mail system (e.g., your phone number or picture or whom you converse with and what about) 3. Your login credentials (e.g., your password). I agree that we have to separate the issues. The original of the thread started with the lack of security for login. Some of the other stuff that's being discussed is pretty much normal thread drift. Most of my contributions to this thread involve #2 above because even with secure log in, no matter what you do, you can't prevent Admin access. quote: To each his/her/its own, but I never give any real information in the public profile, but I almost always give true information in the mail system to people I care about meeting, and, I certainly care greatly about my login credentials being protected by encryption. And the bold is exactly why your information is not secure. Unless the person who received your email (with your personal information in it) deletes it after reading it, that email stays in the mail system for a year. Not all Admin with highest level access will read emails between members but we know that at least some of them did. quote: I don't even know what birthday I have given to ANY site, since I have never given any site my real birthday. I can't see why anyone would EVER give their real birthday. But, I'm mostly worried about the login/password credentials which are available for the taking on Collarspace for anyone near enough to you to take them. Once they have your login credentials, they have everything. You don't think Admin can reset login credentials? It wouldn't look like anything odd to most regular members. The very next time somebody writes a thread on the forums about not being able to access their account and they are told to write Support for help, ask them what Support did to get them back in. quote: I too have failed in this regard. I have given people my home address in the past so that they could come and swim nekked in my pool, and it was fun, but now my home address is out there for the taking if that person doesn't use encryption (don't worry - she taught me some things about encryption that I still use today!). It was a scam. They deserve the lawsuits. But that's a different topic because the site itself was hacked. Yes. Different topic. I think the AM thing scared a lot of people. quote: While I would think CS is ripe for a similar hack, this thread isn't about that. This thread is mostly about the lack of basic protection for your login and password on CS. The question really becomes will the site invest the money to make the change. I'm just going with the odds by saying no. If I turned out to be wrong, I'd be pleasantly surprised but I'm not holding my breath, either. quote: How do you guys know all this? I don't have a clue what the admins say or do. You both must have a red telephone in your bedroom that they don't want to give me. (jk) I know you were kidding but I'll put something here, anyway. Long term members here sometimes know more than other people realize. One small piece of information might be known to regular member X and another known by regular member Y. Just like most of us didn't know what was happening when A**** was LMIC, as regular members started talking, some things kind of got figured out after the fact. Things that we thought were strange at the time but made more sense as information came in later. Edited to fix the dang quote feature, yet again.

angelikaJ -> RE: No site security concerns in real life (1/25/2016 4:31:55 AM)
quote: ORIGINAL: crumpets quote: ORIGINAL: angelikaJ Here's the thing: no one sends me mail with sensitive personal information in it. Like I said quite a few times, there are people who don't feel they need any protection, and there are people who do. It's just like people who feel they need protection when they have sex, while others feel they don't need any protection at all. You don't seem to care if someone next to you at Starbucks has your password the moment you type it in (it's all easily logged so he doesn't have to be waiting). EDIT: I'll post a test I ran at a local Starbucks earlier today just to show you a representative output from the easily available freeware. NOTE: Every single computer saavy person on the planet knows how to do this - so please do not assume it's a "special" skill or that it takes special tools to capture all your packets at the local Starbucks, including those that I'll show which indicate all the logins and passwords for all the non-encrypted web sites you log into. I don't peruse the forums, or anywhere else from Starbucks. I am online from my non-wi-fi home PC which has all sorts of security. And as for condoms, nope, don't use those either. I am in a relationship with one Man, and my Dr assures me that I am well past the point of procreation. In other words, as well meaning your advice is (and it is very well meant), this is not a one size fits all world.

Lucylastic -> RE: No site security concerns in real life (1/25/2016 4:40:44 AM)
quote: ORIGINAL: angelikaJ I don't peruse the forums, or anywhere else from Starbucks. I am online from my non-wi-fi home PC which has all sorts of security. In other words, as well meaning your advice is (and it is very well meant), this is not a one size fits all world. that works for me too

furneaux -> RE: No site security concerns in real life (1/25/2016 5:05:17 AM)
Re the cost implications... a domain cert is less than $200. It costs next to nothing to implement. Whilst you may not reuse passwords, the majority of people do. This is the sort of thing that makes the bad guys job that much easier. The original post was for the benefit of all. It's a shame it wasn't taken in that spirit.

freedomdwarf1 -> RE: No site security concerns in real life (1/25/2016 5:44:13 AM)
quote: ORIGINAL: furneaux Re the cost implications... a domain cert is less than $200. It costs next to nothing to implement. Whilst you may not reuse passwords, the majority of people do. This is the sort of thing that makes the bad guys job that much easier. The original post was for the benefit of all. It's a shame it wasn't taken in that spirit. The thing is... it WAS taken in that spirit. The thing you and crumpets fails to grasp is that the site does not collect any personal info and does not require such measures. Most of us accept this and take it for what it is. Unfortunately, crumpets has gone into overdrive over it and doesn't realise that his BIGGEST failure is to use WiFi.

PonyGroom -> RE: No site security concerns in real life (1/25/2016 6:44:36 AM)
quote: ORIGINAL: furneaux Crumpets - it's laudable you have bothered to make an effort to explain. I couldn't be bothered after getting insults from the pig ignorant residentmuppet etc. It is funny to be told I don't know anything about the subject (it's my job) by shoutypants like him. Bless. I suspect you're wasting your time though. Hopefully some sensible people will take something from it. I've deleted my account (although this board, which took my credentials - no doubt in plain text form - remains active. slow clap) The internet security industry standard warnings include the advice NOT to post anything on any social media site you want kept secret and private. Colloquially, don't post anything anywhere if you don't want your mother to read it. Encryption does not keep your information safe. It's interesting to me that you can't manage to delete your account or posts here, yet you say you are an expert in site security. And, you obviously did not read the site TOU and Privacy Policy.

crumpets -> RE: No site security concerns in real life (1/25/2016 6:51:05 AM)
quote: ORIGINAL: furneaux Crumpets - it's laudable you have bothered to make an effort to explain. I couldn't be bothered after getting insults from the pig ignorant residentmuppet etc. It is funny to be told I don't know anything about the subject (it's my job) by shoutypants like him. Bless. I suspect you're wasting your time though. Hopefully some sensible people will take something from it. I've deleted my account (although this board, which took my credentials - no doubt in plain text form - remains active. slow clap) I was wondering why you hadn't popped in to add value! I do agree that there are (at least) three types of people who posted to this thread: 1. Those who already know what they're talking about (e.g., furneaux, tj444, PonyGroom, etc.) 2. Those who are open to learning, who happen to know many other things (which we can all benefit from) (e.g., LP, LucyLastic, angelikaJ, Wayward5oul, etc.) 3. Unfortunately, the clueless who have absolutely no desire (nor capacity) whatsoever to learn (e.g., stef, freedomdwarf1, mousekabob, WickedsDesire, MsLadySue, susie, MrRodgers, Spiritedsub2, dvr-whatever, etc.) The very few WORTH discussing this with are on the first two lists; the rest of the hoi polloi aren't worth the ink inherent in the text. However, even I learned something from the proletariat in that third list - which is - that the best thing (for everyone) is to just HIDE them - and that saves EVERYONE (not only me) the supreme waste of time it is to try to teach them anything (i.e.., they can't be taught; they don't have the mental capacity or attitude). But, we persist ... for some of us - it's who we are ... naturally service minded and truly helpful to a fault ... so we yearn to help and edify others .... Some are worth that sincere Good-Samaritan effort; others are not. The trick I need to better employ is to wholly ignore those not worth the effort - so that we may focus on responding to those who are capable of learning and adding value to the discussion, for the benefit of all (as always, which is my goal).

PonyGroom -> RE: No site security concerns in real life (1/25/2016 6:51:44 AM)
quote: ORIGINAL: freedomdwarf1 ... the site does not collect any personal info and does not require such measures. Most of us accept this and take it for what it is. Unfortunately, crumpets has gone into overdrive over it and doesn't realise that his BIGGEST failure is to use WiFi. Repeated here so anyone who has you hidden will see your very important point. Use of WiFi at hotspots is common, and dangerous. Nothing this or any other site can do will eliminate the risk brought by using WiFi at a hotspot.

furneaux -> RE: No site security concerns in real life (1/25/2016 6:53:39 AM)
Freedomdwarf1 - This site collects username, password, dob (many use their real one). Most people re-use passwords all over the place. That's enough to warrant some security. You are not safe just because you don't use wifi. Your AV won't protect you. --------- In practice, for low-level attackers, password sniffing mostly occurs through three mechanisms: Close to the user (you). E.g. you are using your laptop and connecting through a WiFi access point; other machines connected to the same access point see all your traffic. Note that "taking steps" to prevent such local attackers can be quite difficult (for instance, forget it is WiFi is involved). Close to the server. Typically, servers are mass-hosted in some shared facilities, and indelicate server owners may spy on their neighbours. Whether this is possible or even easy depends a lot on the competence of the network administrators at the hosting site. Through active redirection. When you want to connect to a server, you actually type a name, and then the DNS finds the IP address which corresponds to that name. Your machine will send the packets to that IP address. However, the DNS, as a whole, is poorly protected, and can be altered by malicious individual. A bad guy may then transparently redirect your packets to his own machines; he may even inspect the data but still forward it to their true destination, which makes him a Man-in-the-Middle. At that point, the attacker sees all the data, including the password and whatever the password protects, and can hijack the connection at any time.

furneaux -> RE: No site security concerns in real life (1/25/2016 7:10:30 AM)
Quite capable of deleting my account on here... it should have been autodeleted however. The fact that it wasn't shows that the passwords are passed from one site to another - no doubt unhashed - and not maintained as one. Feeble. I shall delete it soon as this is clearly a waste of my time.

freedomdwarf1 -> RE: No site security concerns in real life (1/25/2016 7:29:17 AM)
A username is just that and nothing else and is not really of any use to anyone else. And pretty much the same for your password. Those who are internet savvy change it regularly. And an awful lot of people don't use their real age or location for obvious reasons. The same goes for passing ANY personal info on a website as the mails are not 'private' or secure. I have never contended that anyone's AV will protect you; so that's a red herring and just muddying the waters. As for the server end, we all know they are vulnerable. That is an undeniable fact. My contention is that anyone using a sniffer can view what you send via any WiFi link at it's source. Even a so-called "secure" connection is not secure, not even remotely. That little fact was revealed last year in a British program called Click. They drove round a private housing estate and viewed all sorts of "private" info on secured access points and the user had no idea they were being 'watched' at all. The guy showing us used standard commercially available software and 'cracked' WEP/WPA/WPA2 encryption in a matter of seconds and reproduced everything the unsuspecting user had on their screens. Not only what they were doing online but also what was on their machines. It was frighteningly easy and most disconcerting to say the least. These weren't public/open access points (which are far easier) but secure/protected ones. So my argument is, you can use all the security you care to throw at your PC and also on any website; but it is immediately and completely undone when you use any WiFi/wireless link. And it wouldn't matter if you used Tor or VPN's or any other obscure way to access the internet or a website, the moment you use any sort of WiFi connection you are completely transparent to the outside world and might just as well display it for all and sundry to see on a public cinema screen in glorious colour. You don't get that sort of vulnerability if you are hard-wired.

crumpets -> RE: No site security concerns in real life (1/25/2016 7:47:24 AM)
quote: ORIGINAL: PonyGroom Nothing this or any other site can do will eliminate the risk brought by using WiFi at a hotspot. You do realize that you're almost dead wrong, right? Besides, all you're doing by quoting an idiot is replicating nonsense in many cases. There are plenty of things you can do to alleviate the (admittedly numerous) risks at public hot spots. Besides, many of the risks inherent at public hotspots also exist in the home network environment. It's actually a bit more complex than that since it's actually safer, in some ways, to connect from a public hotspot than it is to connect at home. As always, the devil is in the details.

crumpets -> RE: No site security concerns in real life (1/25/2016 8:03:42 AM)
quote: ORIGINAL: LadyPact I'm talking about the email that you send and receive through this site. We agree. The danger of handing your login credentials to basically just about anyone nearby or in the path of your traceroute, is that they now have access to EVERYTHING that you have access to. quote: ORIGINAL: LadyPact Most of my contributions to this thread involve #2 above because even with secure log in, no matter what you do, you can't prevent Admin access. I agree with you, as usual. I don't think there is any way "we" can prevent an admin of Collarspace from complete access to everything. quote: ORIGINAL: LadyPact Unless the person who received your email (with your personal information in it) deletes it after reading it, that email stays in the mail system for a year. Not all Admin with highest level access will read emails between members but we know that at least some of them did. Actually, nothing is truly "deleted" on the Internet, in most cases. Even your supposedly deleted private mail is backed up by competent system admins. (Ask Oliver North about that.) quote: ORIGINAL: LadyPact You don't think Admin can reset login credentials? It wouldn't look like anything odd to most regular members. The very next time somebody writes a thread on the forums about not being able to access their account and they are told to write Support for help, ask them what Support did to get them back in. I'm positive that anyone with administrative privileges can modify/delete/add/change ANYTHING that shows up on this web site. quote: ORIGINAL: LadyPact I think the AM thing scared a lot of people. As well it should. I don't often mention this, but a big portion of the AM hack was simply that people checked the box to REMEMBER me. That set a PERMANENT HASH, which the attackers took note of. So, if anyone wants to learn a lesson from that which applies to Collarspace, UNCHECK THAT BOX! [image]https://i.imgur.com/ZsssGjD.gif[/image] quote: ORIGINAL: LadyPact The question really becomes will the site invest the money to make the change. I'm just going with the odds by saying no. If I turned out to be wrong, I'd be pleasantly surprised but I'm not holding my breath, either. I don't disagree with you. That's why the USERS should know about how dreadfully insecure this site is compared to similar sites. And, then the users should be informed what they can do about it to better protect themselves. It's just like basic 6th grade sex education. Some people have the desire and capacity to get it; most have proven that they don't. But we still strive to teach those who can be taught and to learn from those who have something of value to provide. quote: ORIGINAL: LadyPact Long term members here sometimes know more than other people realize. Yup. People like you and LC and DL and others know a ton that I don't know. I appreciate that you impart that knowledge on those of us less in the know. Thank you for teaching me a few things! quote: ORIGINAL: LadyPact Edited to fix the dang quote feature, yet again. Heh heh ... you have to deal with the quotes. I have to deal with the captcha. They don't make it easy to help people here, but, in a way, it's like a nicely honed D/s relationship. The submissive strives to provide value to the dominant. But not all dominants. Most dominants aren't worth the submissive's time. But, some are. Those precious few worthy of attention are the ones whose needs the submissive tends to...

freedomdwarf1 -> RE: No site security concerns in real life (1/25/2016 8:14:42 AM)
quote: ORIGINAL: crumpets quote: ORIGINAL: PonyGroom Nothing this or any other site can do will eliminate the risk brought by using WiFi at a hotspot. You do realize that you're almost dead wrong, right? Besides, all you're doing by quoting an idiot is replicating nonsense in many cases. There are plenty of things you can do to alleviate the (admittedly numerous) risks at public hot spots. Besides, many of the risks inherent at public hotspots also exist in the home network environment. It's actually a bit more complex than that since it's actually safer, in some ways, to connect from a public hotspot than it is to connect at home. As always, the devil is in the details. And the details have been PROVEN to be completely and utterly USELESS when using ANY WiFi connection - no matter how open or "safe" you think it is. Check out BackTrack and Reaver software (just a couple of many out there). WiFi/wireless connections, even encrypted ones, aren't anywhere near secure.

crumpets -> RE: No site security concerns in real life (1/25/2016 8:15:04 AM)
quote: ORIGINAL: angelikaJ I don't peruse the forums, or anywhere else from Starbucks. You do realize that many of the problems that exist at Starbucks also exist at home, right? And, logging in from home adds NEW problems, even if you have decent WPA2/PSK encryption properly set up. quote: ORIGINAL: angelikaJ I am online from my non-wi-fi home PC which has all sorts of security. Are you saying that your ISP does NOT have the ability to see your password in the clear? Are you saying that EVERYONE between you and Collarspace and back doesn't also have your password? Note: That's dozens of people on EVERY SINGLE LOGIN who have your Collarspace password! quote: ORIGINAL: angelikaJ And as for condoms, nope, don't use those either. Do you use VPN? Tor? quote: ORIGINAL: angelikaJ I am in a relationship with one Man, and my Dr assures me that I am well past the point of procreation. Diseases was what I was referring to, and you're NEVER past that point. quote: ORIGINAL: angelikaJ In other words, as well meaning your advice is (and it is very well meant), this is not a one size fits all world. Nobody said it was (heck, I wear Magnum XL, so if anyone knows that, I do). But, the point is that I wear them, despite the fact wearing them is like wearing a raincoat in the shower. I happen to be extremely well versed in disease vectors (one of my degrees is in Microbiology). Ignorance of microbiology may be bliss; but it's not protection. Neither is ignorance of encryption protection.

crumpets -> RE: No site security concerns in real life (1/25/2016 8:21:25 AM)
quote: ORIGINAL: PonyGroom Encryption does not keep your information safe. Did you actually understand ANYTHING in the post at the top where I provided a screenshot of the collarspace password in cleartext without encryption? Please tell me you understood SOMETHING in that post. Otherwise, you'll have to go on hide just like with the rest of the absolutely unteachable morons (who are barely better than speaking to monkeys).

Page: << < prev 3 4 5 [6] 7 next > >>

Collarchat.com © 2025

Terms of Service

0.046875